DroidTrace: A Ptrace Based Android Dynamic Analysis System with Forward Execution Capability

Abstract.
Android, being an open source smartphone operating system, enjoys a large
community of developers who create new mobile services and applications.
However, it also attracts malware writers to exploit Android devices in order to
distribute malicious apps in the wild. In fact, Android malware are becoming
more sophisticated and they use advanced "dynamic loading" techniques like Java
reflection or native code execution to bypass security detection. To detect
dynamic loading, one has to use dynamic analysis. Currently, there are only a
handful of Android dynamic analysis tools available, and they all have
shortcomings in detecting dynamic loading. The aim of this paper is to design
and implement a dynamic analysis system which allows analysts to perform
systematic analysis of dynamic payloads with malicious behaviors. We propose
"DroidTrace", a ptrace based dynamic analysis system with forward execution
capability. Our system uses ptrace to monitor selected system calls of the
target process which is running the dynamic payloads, and classifies the
payloads behaviors through the system call sequence, e.g., behaviors such as
file access, network connection, inter-process communication and even privilege
escalation. Also, DroidTrace performs "physical modification" to trigger
different dynamic loading behaviors within an app. Using DroidTrace, we carry
out a large scale analysis on 36,170 dynamic payloads in 50,000 apps and 294
malware in 10 families (four of them are zero-day) with various dynamic loading
behaviors.